I am taking a web security class and was told by the instructor that most of the

Question

I am taking a web security class and was told by the instructor that most of the websites today use https for authentication and then use a cookie (authentication token) in plain text to keep track of the user.

I wanted to confirm this. For example, when I use Amazon.com, if I logged in before, Amazon shows something relevant to my history. For this they must be using a cookie. But when I click on Account, a https page is opened. If I am looking at my account details, why would Amazon choose to send a cookie (acting as an authentication token) in plain text ? If I can listen over the wire, can't I just steal the cookie and hijack someone's session ?

My hypothesis is that websites like Amazon have multiple cookies, some are for pages that don't need https (like the home page), but still want to keep track of user history; others are for tracking if user authenticated previously (so user doesn't need to type password again), and this type of cookie must always be sent over https.

Can anyone confirm my hypothesis ? (I believe my instructor might not be entirely correct)

Explanation / Answer

This could be achieved in a relatively secure manner with two cookies.

One has the Secure Flag set, and will contain your HTTPS session details and is used through out the checkout process when making a purchase. The Secure Flag ensures that the browser only sends the cookie over connections protected by SSL/TLS (i.e. use the HTTPS protocol).

The other does not have this flag set, and will store the HTTP session details. The session details stored on the server side could be items viewed, or if you have previously logged in it could tie your session up to an account. This is what would be used when the site says Welcome John when you return without logging in.

For this to work, there should be no way of determining the secure session cookie value from the insecure one.

The insecure cookie could be used up to the point of entering the checkout or the account details pages, where a login over HTTPS is then required where the secure session cookie is then set. This would stop a MITM attack from obtaining the cookie, as if an attacker stole the insecure cookie the worst they could do is alter the browsing history of the user, or add/remove things from the basket. If it was implemented in this way it would be assumed the user would check that the basket items copied to their secure session are the ones they actually wanted to order before completing checkout (or that they read their confirmation email and cancel items later).

It is not clear from your question whether your instructor is referring to the sending of plain text cookies carefully using good practise like the above, or as a bad example of how not to do it. If the latter, many websites do in fact only protect certain pages such as login and card details pages with HTTPS, but then go on to use the same authentication or session cookie over HTTP pages too, not realising that this cookie value is sent in the clear and can be read by a suitably placed attacker.

Related Questions

Navigate

• Browse (All)
• Browse I
• Subjects

Integrity-first tutoring: explanations and feedback only — we do not complete graded work. Learn more.